CVE-2020-36167

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from the Installation folder. This library in turn attempts to load the /usr/local/ssl/openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf. A low privileged user can create a :\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain.

Se detectó un problema en el servidor en Veritas Backup Exec versiones hasta 16.2, versiones 20.6 anteriores a la hotfix 298543 y versiones 21.1 anteriores a la hotfix 657517. Al iniciar, carga la biblioteca OpenSSL desde la carpeta de instalación. Esta biblioteca, a su vez, intenta cargar el archivo de configuración /usr/local/ssl/openssl.cnf, que puede no estar presente. En sistemas Windows, esta ruta podría traducirse a (drive):\usr\local\ssl\openssl.cnf. Un usuario poco privilegiado puede crear un archivo de configuración:\usr\local\ssl\openssl.cnf para cargar un motor OpenSSL malicioso, resultando en una ejecución de código arbitraria como SYSTEM cuando se inicia el servicio. Esto le otorga al atacante acceso de administrador al sistema, permitiendo al atacante (por defecto) acceder a todos los datos, acceder a todas las aplicaciones instaladas, etc. Si el sistema también es un controlador de dominio de Active Directory, entonces esto puede afectar a todo el dominio

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-01-06 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (2)

URL	Tag	Source
https://www.kb.cert.org/vuls/id/429301	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.veritas.com/content/support/en_US/security/VTS20-010	2021-01-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Veritas Search vendor "Veritas"		Backup Exec Search vendor "Veritas" for product "Backup Exec"				>= 20.0 < 20.0.1188.2734 Search vendor "Veritas" for product "Backup Exec" and version " >= 20.0 < 20.0.1188.2734"		-		Affected
Veritas Search vendor "Veritas"		Backup Exec Search vendor "Veritas" for product "Backup Exec"				>= 21.0 < 21.0.1200.1217 Search vendor "Veritas" for product "Backup Exec" and version " >= 21.0 < 21.0.1200.1217"		-		Affected